If you're on this comm, you've heard this before. You've probably been putting it off. It's time to stop being lazy and just do it.
Pick one. There's Lastpass, KeepassXC, Dashlane, and Bitwarden.
Lastpass, Dashlane and Bitwarden all keep your passwords online, and allow you to easily login to sites with autofill. KeepassXC is the most secure option, and keeps your passwords locally on your device so they aren't stored anywhere else. I don't recommend KeepassXC unless you're really paranoid or need extreme levels of security, since the usability of having to sync your passwords manually is a hassle that's just not worth it for most people. Those first 3 are good, secure options. Take a look, and then pick one. Your password for your password manager needs to be unique, used nowhere else, and LONG. These are all non-negotiable requirements.
AND THEN ENABLE MFA (MULTI-FACTOR AUTHENTICATION]
This makes you need both your password and a second token, like a one-time code on your phone, to login. It's mandatory. Any important accounts that you have NEED to have MFA enabled.
Cool, now it's setup. Put in all the passwords that you remember, add the extension to your browser, and let sites accumulate in the password manager for a while. Then, go and change all the accumulated passwords to long, random strings generated by your password manager. None of your accounts should use any of your old, long reused passwords. None. It's very likely that they're compromised, and they shouldn't be considered secure.
I’m actual a cyber expert and I recommend this alternative method: use the same password for everything. Have it be your pet’s name, followed by the year you were born (if numbers required) and if a special character is required attach an exclamation point on the end. That way you can always remember your passwords because they are all the same.
It’s the best password since when you type it all that shows up is *******
I don't get it. This is important because Trump's twitter account got hacked? Why is that important even? And I'm not the president of a republic I just shitpost on a leftist site.
Like if you want to do all this I have no problem with you doing it, but why on Earth would it matter if someone hacked my chacha login?
This is more about Bank Account info. Stop using your birthyear as your PIN Patrick.
It was haha funny example.
I was more referencing the first time his Twitter got hacked, which was because of password reuse. Researchers found his email in the LinkedIn password databreach, cracked the hash, and tried it on his Twitter account. Open sesame.
This attack method is surprisingly easy to do, and extremely effective if you use the same password for everything, like you would if you didn’t use a password manager.
This is a good method for the boomers among us.
The benefits of a password manager are the convenience of having your passwords auto filled/copied, and the persistence of it on your computer.
With a physical planner, if someone takes it they quite literally own your entire online life. If you’re not worried about being robbed, fed raids aren’t in your threat model, and you trust the people around you, then this should be ok.
Possibly silly question: How is it secure to trust my passwords with a password manager? It sounds like they're storing the passwords, and my understanding is that it's a big problem when websites do that, which is why they're really supposed to store password hashes instead.
My fifteen seconds of research tells me that the online password managers keep the passwords encrypted, so they can only be retrieved by using the master password, and even the companies that make the password managers can't read my passwords. Do I have that right? Basically, I want to know what happens if, say, Lastpass has a security breach.
Good password managers keep your passwords as encrypted data on their servers and never have the decryption key. The key is temporarily generated on the device that you're using with your master password, which is never actually given to the password manager's server. So even if you stole all the data from the password manager's servers, it would be useless to you.
The entire point of a password manager is that they store the passwords securely. This isn't like putting passwords in a excel spreadsheet in google drive, they use top-tier hashing techniques to encrypt your passwords. The point is that by not using one, you are probably more susceptible to having your accounts compromised because you either re-use passwords, have easily remembered passwords (i.e., not long or random enough), and/or have them written down somewhere where they can be retrieved. In any of these cases, you would be better off with a password manager than not. It's not perfect, but there is no perfect when it comes to cybersecurity, only better.
This is less secure, because you can't change them as frequently. Bitwarden can be set to notify you to change passwords and generate new one for you automatically. Also, because it autofills, you can have 30 character long random strings.
Password managers are cool and all but what if I need to log in from someone else’s computer. Happens a lot for me and I don’t want to have to suffer through typing out a string from my phone like a scrub. Do any of these have the option to generate the passwords to be legible? Like random sequences of words and numbers? Potato14Harbor7Gorilla$21 or something?
e: that’s actually a really good password no one look at it I’m gonna use it now
honestly typing out random letters and numbers isn't that bad, you get used to it fast.
I personally use KeePass with my database stored on a flash drive if I need to login outside of my pc for some reason. Reason why I use a local database is because someone has to literally get into your specific computer to get it. Also don't log into your accounts on your mobile phone if you can, they are much more of a weak spot than your pc (easier to steal, much weaker passwords and overall security, use at least 6 digit pins with repeating numbers, never use the silly drawings). Any attempt to degoogle yourself is also step in a good direction.
Degoogle myself
Thanks for the reminder, the downside to having a unique full name
I just setup 2fa with lastpass but now I'm paranoid about losing my phone. I've never lost/broken a phone in like 12 years of pocket glass usage so I'm due for an unfortunate event.
so I’m due for an unfortunate event.
That's not how probability works.
If you've gone 12 years without breaking it, that probably means there's less than a 1/12 chance of breaking it in any given year. This figure is a bit of a simplification of the math but it's pretty close.
There’s usually backup codes that you can put somewhere in the case of you losing your phone. I highly recommend setting that up and putting them somewhere safe and difficult to access, since you shouldn’t ever need to use them.
suspicious that everyone on this site apparently has the same security needs as an FBI agent
I know this is some dumb techno nerd shit but I have an older machine where I keep my passwords on txt file on an offline encrypted netbook with SELinux running on it. Can't access any of them without the master and I change my passwords every 6 months so there's way more incentive for me to memorize them all since running to the password laptop gets annoying. I know it's way more cumbersome but the idea of having all my passwords in the cloud makes me very uncomfortable
I was doing this with a gpg encrypted CSV, then I discovered the standard Unix password manager
pass
. Its only a gpg+git script.Memorizing your passwords is bad opsec. Like I don't think you're gonna be tortured for your chacha password, but if you're doing anything else that needs security, not knowing is much more secure. Really long random character passwords that you never see is best. Also, enable a panic mode on your password manager so you can scuttle it if need be. An online one can be scuttled from anywhere. But a local one can't.
or be like me and have a long ass random password you type constantly that you never remember cuz it's all muscle memory at this point. like, that's the shit with my phone - i literally don't know what the password is.
Use the entropy created from balancing a giant shit on a pigs balls the generate the most secure password possible.